chore: new gov publish script

apiarian-datadog · apiarian-datadog · commit 97cc029460f0 · 2025-03-04T14:46:08.000-05:00
diff --git a/ci/publish_layers.sh b/ci/publish_layers.sh
@@ -24,7 +24,20 @@ AWS_CLI_PYTHON_VERSIONS=(
     "python3.13"
     "python3.13"
 )
-PYTHON_VERSIONS=("3.8-amd64" "3.8-arm64" "3.9-amd64" "3.9-arm64" "3.10-amd64" "3.10-arm64" "3.11-amd64" "3.11-arm64" "3.12-amd64" "3.12-arm64" "3.13-amd64" "3.13-arm64")
+PYTHON_VERSIONS=(
+    "3.8-amd64"
+    "3.8-arm64"
+    "3.9-amd64"
+    "3.9-arm64"
+    "3.10-amd64"
+    "3.10-arm64"
+    "3.11-amd64"
+    "3.11-arm64"
+    "3.12-amd64"
+    "3.12-arm64"
+    "3.13-amd64"
+    "3.13-arm64"
+)
 LAYER_PATHS=(
     ".layers/datadog_lambda_py-amd64-3.8.zip"
     ".layers/datadog_lambda_py-arm64-3.8.zip"
@@ -53,11 +66,16 @@ LAYERS=(
     "Datadog-Python313"
     "Datadog-Python313-ARM"
 )
-STAGES=('prod', 'sandbox', 'staging')
+STAGES=('prod', 'sandbox', 'staging', 'gov-staging', 'gov-prod')
 
 printf "Starting script...\n\n"
-printf "Installing dependencies\n"
-pip install awscli
+
+if [ -z "$SKIP_PIP_INSTALL" ]; then
+    echo "Installing dependencies"
+    pip install awscli
+else
+    echo "Skipping pip install"
+fi
 
 publish_layer() {
     region=$1
@@ -89,7 +107,7 @@ fi
 
 printf "Python version specified: $PYTHON_VERSION\n"
 if [[ ! ${PYTHON_VERSIONS[@]} =~ $PYTHON_VERSION ]]; then
-    printf "[Error] Unsupported PYTHON_VERSION found.\n"
+    printf "[Error] Unsupported PYTHON_VERSION found: $PYTHON_VERSION.\n"
     exit 1
 fi
 
@@ -133,8 +151,14 @@ if [[ ! ${STAGES[@]} =~ $STAGE ]]; then
 fi
 
 layer="${LAYERS[$index]}"
+if [ -z "$LAYER_NAME_SUFFIX" ]; then
+    echo "No layer name suffix"
+else
+    layer="${layer}-${LAYER_NAME_SUFFIX}"
+fi
+echo "layer name: $layer"
 
-if [[ "$STAGE" =~ ^(staging|sandbox)$ ]]; then
+if [[ "$STAGE" =~ ^(staging|sandbox|gov-staging)$ ]]; then
     # Deploy latest version
     latest_version=$(aws lambda list-layer-versions --region $REGION --layer-name $layer --query 'LayerVersions[0].Version || `0`')
     VERSION=$(($latest_version + 1))
diff --git a/scripts/publish_govcloud.sh b/scripts/publish_govcloud.sh
@@ -0,0 +1,105 @@
+#! /usr/bin/env bash
+
+# Unless explicitly stated otherwise all files in this repository are licensed
+# under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2025 Datadog, Inc.
+#
+# USAGE: download the layer bundle from the build pipeline in gitlab. Use the
+# Download button on the `layer bundle` job. This will be a zip file containing
+# all of the required layers. Run this script as follows:
+#
+# ENVIRONMENT=[us1-staging-fed or us1-fed] [LAYER_NAME_SUFFIX=optional-layer-suffix] [REGIONS=us-gov-west-1] ./scripts/publish_govcloud.sh <layer-bundle.zip>
+#
+# protip: you can drag the zip file from finder into your terminal to insert
+# its path.
+
+set -e
+
+LAYER_PACKAGE=$1
+
+if [ -z "$LAYER_PACKAGE" ]; then
+    printf "[ERROR]: layer package not provided\n"
+    exit 1
+fi
+
+PACKAGE_NAME=$(basename "$LAYER_PACKAGE" .zip)
+
+if [ -z "$ENVIRONMENT" ]; then
+    printf "[ERROR]: ENVIRONMENT not specified\n"
+    exit 1
+fi
+
+if [ "$ENVIRONMENT" = "us1-staging-fed" ]; then
+    AWS_VAULT_ROLE=sso-govcloud-us1-staging-fed-power-user
+
+    export STAGE=gov-staging
+
+    if [[ ! "$PACKAGE_NAME" =~ ^datadog_lambda_py-(signed-)?bundle-[0-9]+$ ]]; then
+        echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
+        exit 1
+    fi
+
+elif [ $ENVIRONMENT = "us1-fed" ]; then
+    AWS_VAULT_ROLE=sso-govcloud-us1-fed-engineering
+
+    export STAGE=gov-prod
+
+    if [[ ! "$PACKAGE_NAME" =~ ^datadog_lambda_py-signed-bundle-[0-9]+$ ]]; then
+        echo "[ERROR]: Unexpected package name: $PACKAGE_NAME"
+        exit 1
+    fi
+
+else
+    printf "[ERROR]: ENVIRONMENT not supported, must be us1-staging-fed or us1-fed.\n"
+    exit 1
+fi
+
+TEMP_DIR=$(mktemp -d)
+unzip $LAYER_PACKAGE -d $TEMP_DIR
+cp -v $TEMP_DIR/$PACKAGE_NAME/*.zip .layers/
+
+
+AWS_VAULT_PREFIX="aws-vault exec $AWS_VAULT_ROLE --"
+
+echo "Checking that you have access to the GovCloud AWS account"
+$AWS_VAULT_PREFIX aws sts get-caller-identity
+
+
+AVAILABLE_REGIONS=$($AWS_VAULT_PREFIX aws ec2 describe-regions | jq -r '.[] | .[] | .RegionName')
+
+# Determine the target regions
+if [ -z "$REGIONS" ]; then
+    echo "Region not specified, running for all available regions."
+    REGIONS=$AVAILABLE_REGIONS
+else
+    echo "Region specified: $REGIONS"
+    if [[ ! "$AVAILABLE_REGIONS" == *"$REGIONS"* ]]; then
+        echo "Could not find $REGIONS in available regions: $AVAILABLE_REGIONS"
+        echo ""
+        echo "EXITING SCRIPT."
+        exit 1
+    fi
+fi
+
+for region in $REGIONS
+do
+    echo "Starting publishing layers for region $region..."
+
+    export REGION=$region
+
+    for python_version in "3.8" "3.9" "3.10" "3.11" "3.12" "3.13"; do
+        for arch in "amd64" "arm64"; do
+            export PYTHON_VERSION=$python_version
+            export ARCH=$arch
+
+            export SKIP_PIP_INSTALL=true
+
+            echo "Publishing layer for $PYTHON_VERSION and $ARCH"
+
+            $AWS_VAULT_PREFIX  ./ci/publish_layers.sh
+        done
+    done
+done
+
+echo "Done !"
